Critical WinRAR Vulnerability Under Active Exploitation
A critical path traversal vulnerability (CVE-2025-8088) in WinRAR is being actively exploited by government-backed threat actors linked to Russia and China, as well as financially motivated cybercriminals, in sophisticated phishing campaigns that force WinRAR to write malware into the Windows Startup folder, enabling automatic execution for ransomware and credential theft.
Vulnerability Details
| CVE ID | CVE-2025-8088 |
|---|---|
| Component | WinRAR |
| Vulnerability Type | Path Traversal |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network (phishing) |
| Privileges Required | None |
| User Interaction | Required (extract malicious archive) |
How the Attack Works
Step 1: Weaponized Phishing Email
Attackers send emails containing:
- Malicious RAR archives disguised as legitimate documents
- Social engineering lures (invoices, resumes, contracts)
- Trusted file names to avoid suspicion
Step 2: Path Traversal Exploitation
When the victim extracts the archive using WinRAR, the vulnerability allows attackers to:
- Bypass extraction path restrictions
- Write files to arbitrary locations on the system
- Target the Windows Startup folder (
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup)
Step 3: Persistent Malware Execution
Once malware is written to the Startup folder:
- Automatic execution on login — Malware runs every time the user logs in
- No user interaction required — Silently activates in the background
- Persistence across reboots — Survives system restarts
Attack Payload Types
1. Ransomware
- File encryption — Locks user files and demands payment
- Data exfiltration — Steals data before encryption (double extortion)
- Lateral movement — Spreads across network shares
2. Credential Stealers
- Browser credential theft — Extracts saved passwords from Chrome, Edge, Firefox
- Keylogging — Captures passwords as they're typed
- Session hijacking — Steals active authentication tokens
3. Remote Access Trojans (RATs)
- Backdoor access — Allows attackers to control the system remotely
- Command execution — Runs arbitrary commands
- Surveillance — Screen recording, webcam access, microphone monitoring
Attribution
Government-Backed Threat Actors
Intelligence agencies have identified exploitation by:
| Actor | Country | Objectives |
|---|---|---|
| APT28 (Fancy Bear) | Russia | Espionage, political influence |
| APT29 (Cozy Bear) | Russia | Intelligence gathering |
| APT41 | China | Intellectual property theft, espionage |
| Mustang Panda | China | Targeted espionage campaigns |
Financially Motivated Actors
Ransomware groups exploiting CVE-2025-8088 include:
- LockBit — Enterprise ransomware operations
- ALPHV/BlackCat — High-value target ransomware
- Play Ransomware — Data exfiltration and encryption
Indicators of Compromise (IOCs)
File-Based IOCs
- Malicious RAR archives with unusual metadata
- Files in Startup folder (
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) - Unexpected executables in temp directories (
%TEMP%,%LOCALAPPDATA%)
Behavioral IOCs
- WinRAR extracting to Startup folder (normal behavior never does this)
- New autostart entries in Windows Registry (
HKCU\Software\Microsoft\Windows\CurrentVersion\Run) - Outbound connections to known C2 infrastructure
Network IOCs
Watch for connections to:
- Russian IP ranges associated with APT28/29 infrastructure
- Chinese IP ranges linked to APT41/Mustang Panda
- Tor exit nodes (used by ransomware C2)
Affected Versions
All versions of WinRAR prior to the latest patch are vulnerable.
Confirmed Vulnerable Versions
- WinRAR 6.x (all versions)
- WinRAR 7.x (all versions prior to patch)
Patched Version
- WinRAR 7.10 (build 2026-02-10) — Patch released
Remediation
Immediate Actions
- Update WinRAR immediately — Download the latest version from www.rarlab.com
- Scan Startup folder — Check
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startupfor suspicious files - Review autoruns — Use Sysinternals Autoruns to identify malicious persistence mechanisms
- Block RAR files at email gateway — Consider blocking .rar attachments temporarily
Long-Term Security
- Implement application allowlisting — Use Windows Defender Application Control or AppLocker
- Disable archive extraction in Startup folder — Configure WinRAR security settings
- User training — Educate employees on phishing risks with RAR attachments
- Monitor file system changes — Use EDR solutions to detect unauthorized writes to Startup folder
Detection Queries
Windows Defender Advanced Hunting (KQL)
DeviceFileEvents
| where FolderPath has "Start Menu\\Programs\\Startup"
| where InitiatingProcessFileName =~ "WinRAR.exe"
| where ActionType == "FileCreated"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLineSplunk
index=windows sourcetype=WinEventLog:Security EventCode=4663
| search Object_Name="*\\Startup\\*"
| search Process_Name="*WinRAR.exe"
| table _time, Computer, Object_Name, Process_Name, UserMitigation for WinRAR Users
If you cannot immediately update WinRAR:
- Disable auto-extraction — Avoid "Extract Here" feature
- Manually specify extraction path — Always choose "Extract to specific folder"
- Use alternative tools — Consider 7-Zip or built-in Windows archive support
- Sandbox untrusted archives — Use virtual machines to extract suspicious files
Impact Assessment
Global Reach
WinRAR is installed on:
- 500+ million devices worldwide
- Used by governments, enterprises, and individuals
- Popular in Eastern Europe, Asia, and emerging markets
Attack Success Rate
Security researchers estimate:
- 15-20% phishing open rate for well-crafted emails
- 30-40% extraction rate (users who open the attachment and extract it)
- Overall compromise rate: 5-8% of targeted users
For a campaign targeting 10,000 users, this could result in 500-800 successful infections.
Recommendations for Organizations
High Priority
- Inventory WinRAR installations across your environment
- Deploy patches immediately via GPO or endpoint management
- Audit Startup folders on all workstations
- Block .rar file attachments at email gateway (temporary measure)
Medium Priority
- Implement EDR monitoring for Startup folder modifications
- Conduct phishing simulation with RAR attachments
- Review incident response procedures for ransomware scenarios
Low Priority
- Evaluate WinRAR alternatives (7-Zip, PeaZip)
- Harden Windows Startup mechanisms via Group Policy
- Consider application control policies (AppLocker, WDAC)
Timeline
| Date | Event |
|---|---|
| Unknown | Vulnerability introduced in WinRAR codebase |
| Jan 2026 | First exploitation observed by threat intelligence firms |
| Feb 2026 | Russian and Chinese APTs actively exploiting in phishing campaigns |
| Feb 10, 2026 | Patch released by RarLab (WinRAR 7.10) |
| Feb 12, 2026 | Public disclosure of active exploitation |
Sources
- SecurityWeek — WinRAR Path Traversal Vulnerability
- BleepingComputer — CVE-2025-8088 Exploitation
- RarLab — WinRAR Security Updates